AWS Organizations: Enable All Features
ACM.188 Step one to set up AWS Organizations CloudTrail.
Part of my series on Automating Cybersecurity Metrics. The Code.
Free Content on Jobs in Cybersecurity | Sign up for the Email List
In the last post I wrote about the steps to set up an Organization CloudTrail.
The first step is to enable all features for our AWS Organization. I provided the caveats and prerequisites in the last post.
TLDR; Use the following to see if all features are already enabled for your organization as I explain below.
aws organizations describe-organizationIn a prior post I created a function to enable SCPs. I started to replace that function thinking that enabling all features would enable SCPs. Spoiler alert: it doesn’t.
Recall that our SCP function in the org_function.sh file included via the source command above looks like this:
Tangent: If anyone has a hard time reading that you can find in the source code. I was tweaking color schemes in VIM and don’t have more time to mess around with it.
Create a new function called enable_all_features() and use the AWS CLI command below.
Now here’s where things get a little odd for me. I get an error stating that all features are already enabled when I run this command. However, I never explicitly did that.
Let’s see what the organization looks like by running:
aws organizations describe-organizationHere’s what I see (some info redacted):
I am guessing that “FeatureSet”: “ALL” above indicates that all features are enabled. Let’s add a check for that so we only run the command if features are not already enabled.
Sorry for the weird spacing above. I copied the above out of AWS CloudShell which seems to have a lot of issues with copy and paste from a Mac.
Now it appears that “enable all features” doesn’t really enable all features in AWS Organizations. What it does is allow you to use additional features beyond consolidated billing. However, you still need to enable specific things such as Service Control Policies. So I altered my deployment script to call enable all features first, then enable SCPs.
That works.
I added the enable all features function to my organization creation script because I noticed it is required for SCPs as well. I’m not sure how it got enabled exactly, but just in case it causes and issue for anyone I added the command in my script. However, if you have been following along and enabled SCPs already, you can query your organization to see if all features are enabled as described above.
So really, there was nothing to do here but oh well. We have a new function now that validates all features are enabled.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
